[Freeipa-devel] Adding a new DNA plugin configuration in IPAv3

Simo Sorce simo at redhat.com
Thu Feb 2 14:08:18 UTC 2012 

On Thu, 2012-02-02 at 13:39 +0200, Alexander Bokovoy wrote:
> On Thu, 02 Feb 2012, Sumit Bose wrote:
> > Simo, thank you for give detailed responses and explanations here. To
> > make it - hopefully - even clearer I try to describe the step that are
> > necessary to enable IPA for trust and to create trust to AD domains.
> > 
> > I assume that we start from a running IPAv2 setup with replication:
> > 
> > 1. Update IPA to v3, install the new packages, run everything that is
> > needed for the update. This step will not create anything related to
> > trust (only the needed python code and config file templates are
> > installed)
> > 
> > 2. Call ipa-adtrust-install to enable IPA to handle trust, this will
> >   - create the samba configuration
> >   - add cn=trust to the DIT
> >   - generate a domain SID and stores it in the DIT
> >   - add the well know administrator and admin group SIDs to the admin user
> >     and the admins group respectively
> >   - activate the CLDAP directory server plugin
> >   - add DNA configuration to automatically add SIDs to users and groups
> > on the server where ipa-adtrust-install
> At this point 'ipa trust ...' set of commands mentioned in (5) will be 
> able to operate because we'll have enough information about our own 
> domain to proceed with trusts to other domains.
> 
> 
> > 3. Now SIDs can be added to users and groups, this can be done
> >   - as Simo mentioned above with the help of a directory server task to
> >     generate them as fast a possible
> >   - but if there are concerns about the traffic caused by the
> >     replication, this can also be done by an external script, with a
> >     rate limitation or during non-office hours
> > this process might take some time, but since it has to be done only once
> > I think it is even acceptable if it needs some days to finish, as long
> > as it is documented :-)
> Agree. 
> 
> There are two separate phases here, actually:
> 	- trust creation
> 	- trust usage
> 
> Normal usage is possible after step (3), creating trusts is possible 
> before (3), albeight it wouldn't be quite usable besides administrator 
> account.
>  
> > 4. Now ipa-adtrust-install can be called on other IPA servers which will
> > now skip the configuration steps which can already be found in the
> > replicated tree, some of the remaining ones are:
> >   - create the samba configuration
> >   - activate the CLDAP directory server plugin
> >   - add SID DNA configuration with an empty range
> ACK. There is also need to add DNS records to get these IPA servers in 
> use for AD discovery.

This is actually critical, the other servers need to have the DNA plugin
properly configured, otherwise creating a user on another server will
not add the SID, and we will have some users missing them.

So I am thinking that we have 2 strategies here:

- Require we run a ipa-trust-prepare script on all masters before we
populate users

- Add a new plugin, enabled by default at upgrade time, that is able to
detect trust were activated, and when that happens it automatically adds
the CLDAP and DNA plugins needed configuration. There is also the
problem of the samba configuration (Still the server will need a restart
so it is not a complete solution I guess).

The second would be nice, but it seem a lot more complex than what we
can afford for a first release and still has some gotchas.

Also we need to consider that we may not want to make all servers expose
samba and cldap. In most cases admins would want to enable only servers
that are close to the AD domain they want to trust.

So we need the DNA plugin configured everywhere, because it works at
user creation, but we need to be able to *not* configure samba, cldap
(and _msdcs DNS records) where not wanted.

We will also need a way to show which servers are 'trust' enabled so
that admins can easily inspect their setup.

> > 5. Finally a trust to an AD domain can be created my calling 'net rpc
> > trust create ...' (Alexander is working on the integration into the ipa
> > utility so that it will be more like 'ipa adtrust-create' or similar).
> Yep.

ack to all the rest.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list